Supermicro IPMI/BMC Vulnerability Analysis

This is an extremely critical vulnerability (see VERT advisory with vulnerability detection info here). The affected server component is the baseboard management controller or BMC. These BMCs are essentially a computer running in the same chassis as your server providing out of band access.

An attacker with control over an affected system can view and interact with the server’s host operating system in various ways. For example, a compromised BMC would allow an attacker to upload a Linux live CD, reboot the server to this disc, and use it to recover data or pivot into a network.

Consumer products do not typically have BMCs, but this disclosure does highlight various risks to embedded devices in many homes. The password file is exposed by the Intel SDK for UPnP devices web server which is also used in home routers, media centers, home automation systems and more.

Although most (if not all of these systems) should not have the /PSBlock password disclosure, there is a lot of information exposed by probing these services which can lead to attackers having remote access into homes. For example, the server banner alone can disclose that a system is running an out of date Linux kernel with known vulnerabilities.

It has been a bad couple of years for UPnP and IPMI, but unfortunately these protocols and their associated risks are not going away overnight. UPnP is still very common in consumer products and IPMI is still the de facto standard for out of band server management.

In this case, many systems will go unpatched because it can be quite inconvenient to power down a system while the BMC firmware is re-flashed. In light of this, Zachary Wikholm has described steps you can take to SSH into affected products and stop the vulnerable UPnP service.

In most environments, UPnP is probably not adding any value so administrators who cannot yet update their firmware should strongly consider this mitigation.

Resources:

Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.